Finger-pointing over Uber hack

A main breach of the IT programs at Uber allowed hackers to put up on the ride-sharing firm’s Slack channel and allegedly acquire entry to supply code.

On Sept. 19, Uber blamed hacking group Lapsus$ for the breach, which the corporate introduced days earlier. Lapsus$ is a global hacking group recognized for attacking firms within the tech trade, together with Microsoft, Cisco, Samsung, and Nvidia, in 2022 alone.

“The attacker accessed a number of inner programs, and our investigation has centered on figuring out whether or not there was any materials affect,” Uber mentioned in an announcement.

On the finish of its final monetary yr, Uber had 118 million energetic common customers.

Whereas Uber says it has “no proof” that the breach concerned delicate buyer information, customers ought to maintain an in depth eye on their private info, mentioned Darryl MacLeod, the digital chief info safety officer at LARES Consulting, a cybersecurity consulting agency.

“Whereas Uber says delicate information is protected, prospects ought to nonetheless be vigilant till Uber can affirm that it wasn't breached,” MacLeod instructed the Washington Examiner.

Days after the Uber assault, the identical hacker was blamed for placing Rockstar Video games, which noticed a number of movies of the corporate’s Grand Theft Auto 6 online game launched.

Within the Uber assault, the hacker introduced the ride-sharing firm had suffered an information breach on an organization Slack channel.

Nonetheless, the corporate hasn’t seen proof that the attacker was in a position to entry the public-facing programs that run Uber’s app, nor did the breach contain databases that the corporate makes use of to retailer delicate info comparable to automobile journey historical past and bank card numbers, Uber mentioned.

The corporate’s Uber ride-sharing, Uber Eats, and Uber Freight companies remained on-line throughout and after the assault, the corporate mentioned.

Whereas this hack seems to be on Uber’s company IT surroundings and never on buyer information, it’s price noting that an attacker in 2016 harvested the info of 57 million Uber prospects, famous Christopher Prewitt, the chief expertise officer at Inversion6, a cybersecurity companies supplier.

“The optics of blaming an elite hacking group would make an assault like this appear not possible to defend. Nonetheless, the assault path and abilities used weren’t of excessive problem,” Prewitt instructed the Washington Examiner. “Lapsus$ is usually recognized for high-profile assaults that aren’t essentially monetized and accomplished with a aptitude for the dramatic.”

In lots of instances, Lapsus$'s motivation seems to be “notoriety and bragging rights,” mentioned MacLeod, the cybersecurity guide.

Uber blamed a compromised account at an exterior contractor for its breach. The attacker possible bought the contractor’s Uber company password on the darkish net after the contractor’s private gadget had been contaminated with malware, the corporate mentioned. After acquiring the password, the attacker repeatedly tried to log into the contractor’s Uber account, and the contractor finally accepted a two-factor authentication approval request.

The attacker then compromised a number of Uber worker accounts, giving the individual entry to a number of instruments, together with G-Suite and Slack, Uber mentioned.

Previously, Lapsus$ has extorted the victims of its assaults and threatened to leak information if its calls for weren’t met, mentioned Yaron Kassner, the chief expertise officer and co-founder at multifactor authentication supplier Silverfort. “Publishing such info additionally serves to bolster their credentials and present future victims their intentions are critical,” Kassner instructed the Washington Examiner.

Whereas Uber has mentioned that it has not seen a breach of buyer information, it could be too early to inform, Kassner mentioned. Whether or not or not buyer info is concerned is “one thing that can solely be absolutely ascertained as soon as an incident investigation is full, which takes time,” Kassner. “Given the excessive degree of privileges obtained, it stays a chance.”